Can TCPDump and TCPReplay be used to record(tcpdump) network traffic coming in to a application server/webserver/queue application etc., and then replayed using the dump on TCPReplay?
Let's say I setup a apache server and use TCPDump to capture the entire network traffic and dump it to a file. Now I run apache in a different machine and want to replay the traffic to this new apache server using the file. How can I achieve this?
I especially want to understand how TCPReplay would work in such a scenario. i.e. how would syn/ack responses work for TCP. How would a new a connection etc. be initiated?
Fred is right. Also, this question is answered in the Tcpreplay FAQ: http://tcpreplay.synfin.net/wiki/FAQ#Doestcpreplaysupportsendingtraffictoaserver
No, you cannot use Tcpreplay to replay traffic to a server. TCP sessions have random sequence numbers, and are fully stateful. Replaying previously recorded TCP traffic will be ignored by a server.
Related
I am trying to use wireshark to debug some network traffic between my machine and a remote mysql server. I downloaded mysql_complete.pcap file and when I open it up in wireshark it shows as:
I also tried mysql-ssl.pcapng and it shows up as:
but the communication between my machine and the remote mysql server is showing up as a cryptic ESP protocol:
Could anyone explain why and what can I do to inspect the traces as understandable MySQL
This happened as the two machines were communicating over a secure VPN. I don't know if there is a way to convert the ESP messages into MySQL
This is a little late. As mentioned by #morpheus, it appears that there is VPN here. So to capture the traffic in clear text, you should not select the standard network interface to sniff on, you can sniff on the VPN interface.
I have this project for my classes i'm currently workin' on. here it is:
WebPage client for Telnet not on standard ports, with ability to choose a port and connect
I have machines with telnet servers on them, just waiting for connection.
So my idea was to set up a nodeJS with express server on a dedicated machine. This would handle connections through telnet and host a page for clients, that would use socket.io to exchange information with server side.
But as i'm new to such technologies (telecommunications student) i wonder if it is possible. I spotted something like this - jsterm.com by Peter Nitsch, but i see there are some massive gaps in code and the demo does not really work so i don't know if it actually works. Did anyone try this?
My other problem is - when i send information to nodeJS server through websockets, which seems achievable for me, what do i do with this information? Do i just set up another websocket to pass the same data i got from client websocket directly to the telnet port?
Can sockets connect directly to specific port, without any websocket waiting on the other side?
If my idea is wrong, could anyone help me - maybe there exists some nice solution - i was thinking about Anyterm for example but i see that it requires an apache server and runs completely different technologies...
Just to be clear, WebSocket connections are not raw TCP socket connections. They have extra header information in each packet, browser to server data is masked using a running XOR, etc.
In order for the browser to communicate with a normal TCP server (e.g. a telnet server) you will need some sort of bridge service. It just so happens that such a thing already exists. websockify is a server that accepts WebSocket connections and bridges them to a raw TCP server.
In fact, the websockify project already includes a working telnet client as an example application. However, note that one limitation of websockify (for security reasons) is that the client cannot pick an arbitrary server address/port to connect to. The target address(es) must be predefined, either as a single target specified on the command line for websockify, or as multiple targets specified in a configuration file (and selected via a token in the WebSocket connect string).
There are multiple implementations of websockify in different languages (python, C, node, ruby, Clojure) however, only the python version currently supports multiple targets via a configuration file.
Disclaimer: I created websockify.
My app is using a TUN say tun0. In the design, my app will receive an UDP which includes an full IP layer, then I will take the IP layer out and then use 'file write' to put them into my own tun0 device, supposedly in design, I should can read the packet out again from tun0.
Now the situation is I can see through tcpdump the package is wrote into the tunnel, but I couldn't read them back.
Something wrong with tunnel setting or route setting?
Thanks in advance
Yang
Your second tun0 is not a FIFO queue. You may have a problem in your design of how and why your are using the second tun0 device. Clarify why you are using it and which process should be reading. The proper approach should flow from that clarification.
If you want to read the data you send into you have some options.
Connect tun0 to an TCP or UDP echo service when you open it. This will then send you back the packets you stuff into it.
Open a listener for the second tun0 to connect to. Then connect to it and send the packets out that connection. Read your data from the listener side.
Open a pipe with two file descriptors. Write to one descriptor and read from the other. Pipes are often used for IPC (Inter-Process Communication) when forking children.
Create a socket and read data from it. Open the other end of the socket for writing. Sockets are often used to allow other processes to communicate with a process. This works well when the calling processes may have a different lifetime than the listening process.
Create a buffer or queue in memory to store the data.
I already have a server with port and want to write a web app to get the information form the port. Will this be possible with WebPorts?
The Client doesn't even need to talk back to the server, which is the whole point of websockets I would imagine, but since I already have the ports setup, I might be easier and cleaner to just connect and get the info without having to refresh.
WebSockets are not intended as clear TCP channels over which other existing protocols can be implemented.
WebSockets are designed to allow messages to be sent between a client and server, where an event is raised each time a message is received.
Hence a WebSocket client cannot simply connect to an existing TCP server - that server also has to speak the WebSocket protocol.
You could of course write a WebSocket-based server that does nothing but act as a proxy to existing network services.
I think you want websockify which is a WebSocket to plain TCP socket bridge/proxy. It also allows sending and receiving of binary data with the older version of the WebSocket protocol which hadn't yet added direct binary data support.
Disclaimer: I created websockify.
A process is connecting to a certain ip or domain, but I do not know what it is. The process can't connect to the server. How do I find and change it?
TCPView and netstat work best for connections already established, which isn't the original poster's position.
A better tool for this task is a packet sniffer, which can observe the connection attempt. I recommend Wireshark, which is available for all major platforms.
Details:
Install, then start Wireshark
Press Ctrl-K to start capturing
Select the network interface that you expect the program to use
Type "tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn" in the Capture Filter box (no quotes)
Start the capture, go make your program try to connect, and then stop the capture.
If you do the last step fast enough on a machine without a lot of other network activity, you will have only one captured packet. Otherwise, you'll have to dig through a list to find the one you want. This packet will show the TCP port the program is trying to use.
Type netstat at the cmd prompt to see what ports are being used by active processes. Aside from that, you can't change the port being used by the proc to connect (unless you built the app obviously)
TCPView is a nice little utility that will show you all the open connections and endpoints on the local machine.
If the program is connecting using a DNS name (e.g., example.com), you can use the hosts file (c:\windows\system32\drivers\etc\hosts) to make that name map to a different IP address.
If you mean redirect the connection programmatically, that is a lot more complicated. You're not writing malware, are you?